CVE-2026-43915

MEDIUM 5.4

Coturn: Stored Cross-Site Scripting (XSS) in web-admin interface via TURN username

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

0th

Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.11.0 contain a stored cross-site scripting (XSS) vulnerability in the web-admin HTTPS interface. An attacker who can create a TURN allocation with a crafted USERNAME value can inject HTML/JavaScript that executes when an authenticated web-admin user views the TURN session list. In configurations using anonymous TURN access (--no-auth), this may be exploitable without TURN credentials. In authenticated deployments, exploitation requires valid TURN credentials or control over a provisioned username. This issue has been fixed in version 4.11.0.

CWE	CWE-79
Vendor	coturn
Product	coturn
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for coturn coturn

Be the first to know when new medium vulnerabilities affecting coturn coturn are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

coturn / coturn

< 4.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coturn/coturn/security/advisories/GHSA-xxf5-9vj2-g84j github.com: https://github.com/coturn/coturn/releases/tag/4.11.0